SSL

SSL

Prof. Ravi Sandhu

2© Ravi Sandhu

CONTEXT Mid to late 90’s

SSL 1.0 never released SSL 2.0 flawed SSL 3.0 complete redesign TLS from Netscape to IETF

Competitors SET backed by credit card companies S-HTTP (as opposed to https) IPSEC backed by IETF committees SSH for secure remote access to Unix hosts

3© Ravi Sandhu

CRYPTOGRAPHIC SERVICES

Confidentiality Encryption leaks profusely via side

channels Authentication + Integrity

No point having one without the other Non-repudiation

Requires asymmetric cryptography

4© Ravi Sandhu

SYMMETRIC KEY ENCRYPTION

EncryptionAlgorithm E

DecryptionAlgorithm D

Plain-text

Plain-text

Ciphertext

INSECURE CHANNEL

K KSymmetric Keyshared byA and B

CONFIDENTIAL AND AUTHENTICATED CHANNEL

A B

5© Ravi Sandhu

SYMMETRIC KEY AUTHENTICATION

MACAlgorithm M

VerificationAlgorithm V

Plain-text

Yes/NoPlaintext + MAC

INSECURE CHANNEL

K

A BK

MAC: Message Authentication CodeCONFIDENTIAL AND AUTHENTICATED CHANNEL

6© Ravi Sandhu

ASYMMETRIC KEY ENCRYPTION

EncryptionAlgorithm E

DecryptionAlgorithm D

Plain-text

Plain-text

Ciphertext

INSECURE CHANNEL

B's Public Key B's Private Key

AUTHENTICATED CHANNEL

A B

7© Ravi Sandhu

ASYMMETRIC KEY DIGITAL SIGNATURES

SignatureAlgorithm S

VerificationAlgorithm V

Plain-text

Yes/NoPlaintext + SignatureINSECURE CHANNEL

A's Private Key A's Public Key

AUTHENTICATED CHANNEL

A B

8© Ravi Sandhu

SPEED OF ASYMMETRIC KEY VERSUS SYMMETRIC KEY

Asymmetric key runs 2-3 orders of magnitude slower than symmetric key

This large difference in speed is likely to remain independent of technology advances

9© Ravi Sandhu

MESSAGE DIGEST

message digest algorithm

original messageno practical limit to size

message digest160 biteasy hard

sign the message digestnot the message

10© Ravi Sandhu

CHALLENGE RESPONSE AUTHENTICATION

HOSTWORKSTATION

NETWORK

User ID

Challenge

Response

11© Ravi Sandhu

PUBLIC-KEY CERTIFICATES authenticated distribution of public-

keys public-key encryption

sender needs public key of receiver public-key digital signatures

receiver needs public key of sender public-key key agreement

either one or both need the other’s public key

12© Ravi Sandhu

X.509v1 CERTIFICATEauthenticated distribution of public-keys

VERSIONSERIAL NUMBER

SIGNATURE ALGORITHMISSUER

VALIDITYSUBJECT

SUBJECT PUBLIC KEY INFOSIGNATURE

13© Ravi Sandhu

X.509v1 CERTIFICATE

11234567891011121314

RSA+MD5, 512C=US, S=VA, O=GMU, OU=ISE

9/9/99-1/1/1C=US, S=VA, O=GMU, OU=ISE, CN=Ravi Sandhu

RSA, 1024, xxxxxxxxxxxxxxxxxxxxxxxxxSIGNATURE

14© Ravi Sandhu

CRL FORMAT

SIGNATURE ALGORITHMISSUER

LAST UPDATENEXT UPDATE

REVOKED CERTIFICATESSIGNATURE

SERIAL NUMBERREVOCATION DATE

15© Ravi Sandhu

X.509 CERTIFICATES

X.509v1 very basic

X.509v2 adds unique identifiers to prevent

against reuse of X.500 names X.509v3

adds many extensions can be further extended

16© Ravi Sandhu

CERTIFICATE TRUST

how to acquire public key of the issuer to verify signature

whether or not to trust certificates signed by the issuer for this subject

17© Ravi Sandhu

SINGLE ROOT CA MODELRootCA

a b c d e f g h i j k l m n o p

RootCAUser

18© Ravi Sandhu

SINGLE ROOT CAMULTIPLE RA’s MODEL

RootCA


RootCA

User RA

User RA

User RA

19© Ravi Sandhu

MULTIPLE ROOT CA’s MODEL

RootCA


RootCAUser

RootCA

RootCA

RootCAUser

RootCAUser

20© Ravi Sandhu

MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL

X

Q

A

R

S T

C E G I K M O


ESTABLISHED BROWSER MODEL

21© Ravi Sandhu

SECURE ELECTRONIC TRANSACTIONS (SET) CA HIERARCHY

Root

Brand BrandBrand

Geo-Political

Bank Acquirer

Customer Merchant

22© Ravi Sandhu

THE CERTIFICATE TRIANGLE

user

attribute public-key

X.509identity

certificate

X.509attribute

certificate

SPKIcertificate

23© Ravi Sandhu

SSL SERVICES

peer entity authentication data confidentiality data authentication and integrity compression/decompression generation/distribution of session keys

integrated into protocol security parameter negotiation

24© Ravi Sandhu

SSL ARCHITECTURE

SSL Record ProtocolTCPIP

SSLHandshake

Protocol

SSL ChangeCipher Spec

Protocol

SSLAlert

ProtocolHTTP

OtherApplicationProtocols

25© Ravi Sandhu

APPLICATION PORTS

https 443 ssmtp 465 snntp 563 sldap 636 spop3 995

ftp-data 889 ftps 990 imaps 991 telnets 992 ircs 993

26© Ravi Sandhu

SSL ARCHITECTURE

Handshake protocol: complicated embodies key exchange & authentication 10 message types

Record protocol: straightforward fragment, compress, MAC, encrypt

Change Cipher Spec protocol: straightforward single 1 byte message with value 1 could be considered part of handshake protocol

Alert protocol: straightforward 2 byte messages

• 1 byte alert level- fatal or warning; 1 byte alert code

27© Ravi Sandhu

SSL SESSION SSL session negotiated by handshake protocol

session ID• chosen by server

X.509 public-key certificate of peer• possibly null

compression algorithm cipher spec

• encryption algorithm • message digest algorithm

master secret• 48 byte shared secret

is resumable flag• can be used to initiate new connections• each session is created with one connection, but additional

connections within the session can be further created

28© Ravi Sandhu

SSL CONNECTION STATE

connection end: client or server client and server random: 32 bytes each keys generated from master secret, client/server random

client_write_MAC_secret server_write_MAC_secret client_write_key server_write_key client_write_IV server_write_IV

compression state cipher state: initially IV, subsequently next feedback block sequence number: starts at 0, max 264-1

29© Ravi Sandhu

SSL CONNECTION STATE

4 parts to state current read state current write state pending read state pending write state

handshake protocol initially current state is empty either pending state can be made current and

reinitialized to empty

30© Ravi Sandhu

SSL RECORD PROTOCOL

4 steps by sender (reversed by receiver) Fragmentation Compression MAC Encryption

31© Ravi Sandhu

SSL RECORD PROTOCOL

each SSL record contains content type: 8 bits, only 4 defined

• change_cipher_spec• alert• handshake• application_data

protocol version number: 8 bits major, 8 bits minor length: max 16K bytes (actually 214+2048) data payload: optionally compressed and encrypted message authentication code (MAC)

32© Ravi Sandhu

SSL HANDSHAKE PROTOCOL

initially SSL session has null compression and cipher algorithms

both are set by the handshake protocol at beginning of session

handshake protocol may be repeated during the session

33© Ravi Sandhu


Type: 1 byte 10 message types defined

length: 3 bytes content

34© Ravi Sandhu


Client Server

ClientHello --------> ServerHello Certificate* ServerKeyExchange* CertificateRequest* <-------- ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data

Fig. 1 - Message flow for a full handshake

* Indicates optional or situation-dependent messages that are not always sent.

Phase 1

Phase 2

Phase 3

Phase 4

RecordProtocol

35© Ravi Sandhu


Phase 1: Establish security capabilities

Phase 2: Server authentication and key exchange

Phase 3: Client authentication and key exchange

Phase 4: Finish

36© Ravi Sandhu

SSL 1-WAY HANDSHAKE WITH RSA

Client Server ClientHello --------> ServerHello Certificate* ServerKeyExchange* CertificateRequest* <-------- ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data Fig. 1 - Message flow for a full handshake * Indicates optional or situation-dependent messages that are not always sent.

Phase 1

Phase 2

Phase 3

Phase 4

RecordProtocol

37© Ravi Sandhu

SSL 2-WAY HANDSHAKE WITH RSA

Client Server ClientHello --------> ServerHello Certificate* ServerKeyExchange* CertificateRequest* <-------- ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data Fig. 1 - Message flow for a full handshake * Indicates optional or situation-dependent messages that are not always sent.

Phase 1

Phase 2

Phase 3

Phase 4

RecordProtocol

38© Ravi Sandhu


these 9 handshake messages must occur in order shown

optional messages can be eliminated 10th message explained later

hello_request message change_cipher_spec is a separate 1

message protocol functionally it is just like a message in the

handshake protocol

39© Ravi Sandhu


Client Server

ClientHello --------> ServerHello [ChangeCipherSpec] <-------- Finished [ChangeCipherSpec] Finished --------> Application Data <-------> Application Data

Fig. 2 - Message flow for an abbreviated handshake

40© Ravi Sandhu


hello_request (not shown) can be sent anytime from server to client to request client to start handshake protocol to renegotiate session when convenient

can be ignored by client if already negotiating a session don’t want to renegotiate a session

• client may respond with a no_renegotiation alert

41© Ravi Sandhu


Client Server




Phase 1

Phase 2

Phase 3

Phase 4

RecordProtocol

42© Ravi Sandhu

SSL HANDSHAKE: PHASE 1ESTABLISH SECURITY CAPABILITIES

client hello 4 byte timestamp, 28 byte random value session ID:

• non-zero for new connection on existing session• zero for new connection on new session

client version: highest version cipher_suite list: ordered list compression list: ordered list

43© Ravi Sandhu


server hello 32 byte random value session ID:

• new or reuse version

• lower of client suggested and highest supported cipher_suite list: single choice compression list: single choice

44© Ravi Sandhu


cipher suite key exchange method

• RSA: requires receiver’s public-key certificates• Fixed DH: requires both sides to have public-key

certificates• Ephemeral DH: signed ephemeral keys are

exchanged, need signature keys and public-key certificates on both sides

• Anonymous DH: no authentication of DH keys, susceptible to man-in-the-middle attack

• Fortezza: Fortezza key exchangewe will ignore Fortezza from here on

45© Ravi Sandhu


cipher suite cipher spec

• CipherAlgorithm: RC4, RC2, DES, 3DES, DES40, IDEA, Fortezza

• MACAlgorithm: MD5 or SHA-1• CipherType: stream or block• IsExportable: true or false• HashSize: 0, 16 or 20 bytes• Key Material: used to generate write keys• IV Size: size of IV for CBC

46© Ravi Sandhu


Client Server




Phase 1

Phase 2

Phase 3

Phase 4

RecordProtocol

47© Ravi Sandhu

SSL HANDSHAKE: PHASE 2SERVER AUTHENTICATION & KEY EXCHANGE

Certificate message server’s X.509v3 certificate followed by optional chain of

certificates required for RSA, Fixed DH, Ephemeral DH but not for

Anonymous DH Server Key Exchange message

not needed for RSA, Fixed DH needed for Anonymous DH, Ephemeral DH needed for RSA where server has signature-only key

• server sends temporary RSA public encryption key to client

48© Ravi Sandhu

SSL HANDSHAKE: PHASE 2SERVER AUTHENTICATION & KEY EXCHANGE

Server Key Exchange message signed by the server signature is on hash of

• ClientHello.random, ServerHello.random• Server Key Exchange parameters

Certificate Request message request a certificate from client specifies Certificate Type and Certificate Authorities

• certificate type specifies public-key algorithm and use Server Done message

ends phase 2, always required

50© Ravi Sandhu

SSL HANDSHAKE: PHASE 3CLIENT AUTHENTICATION & KEY EXCHANGE

Certificate message send if server has requested certificate and client has

appropriate certificate• otherwise send no_certificate alert

Client Key Exchange message content depends on type of key exchange (see next slide)

Certificate Verify message can be optionally sent following a client certificate with signing

capability signs hash of master secret (established by key exchange) and

all handshake messages so far provides evidence of possessing private key corresponding to

certificate

51© Ravi Sandhu

SSL HANDSHAKE: PHASE 3CLIENT AUTHENTICATION & KEY EXCHANGE

Client Key Exchange message RSA

• client generates 48-byte pre-master secret, encrypts with server’s RSA public key (from server certificate or temporary key from Server Key Exchange message)

Ephemeral or Anonymous DH• client’s public DH value

Fixed DH• null, public key previously sent in Certificate Message

52© Ravi Sandhu

SSL HANDSHAKE: POST PHASE 3CRYPTOGRAPHIC COMPUTATION

48 byte pre master secret RSA

• generated by client• sent encrypted to server

DH• both sides compute the same value• each side uses its own private value and the

other sides public value

53© Ravi Sandhu

SSL HANDSHAKE: POST PHASE 3CRYPTOGRAPHIC COMPUTATION

master_secret = PRF(pre_master_secret, "master secret", ClientHello.random + ServerHello.random) [0..47];

pre_master_secret: 48 bytes

PRF is composed of a sequence and nesting of HMACs

55© Ravi Sandhu

SSL HANDSHAKE: PHASE 4FINISH

Change Cipher Spec message not considered part of handshake

protocol but in some sense is part of it Finished message

sent under new algorithms and keys content is hash of all previous messages

and master secret

56© Ravi Sandhu


Change Cipher Spec message 1 byte message protected by current state copies pending state to current state

• sender copies write pending state to write current state

• receiver copies read pending state to read current state

immediately send finished message under new current state

57© Ravi Sandhu


verify_data PRF(master_secret, finished_label, MD5(handshake_messages)+ SHA-1(handshake_messages)) [0..11];

finished_label For Finished messages sent by the client, the string "client finished". For Finished messages sent by the server, the string "server finished".

handshake_messages All of the data from all handshake messages up to but not including this message. This is only data visible at the handshake layer and does not include record layer headers.

Finished message

59© Ravi Sandhu

SSL ALERT MESSAGESWarning or fatal

close_notify(0), unexpected_message(10), bad_record_mac(20), decryption_failed(21), record_overflow(22),

decompression_failure(30), handshake_failure(40), bad_certificate(42), unsupported_certificate(43), certificate_revoked(44), certificate_expired(45), certificate_unknown(46), illegal_parameter(47), unknown_ca(48), access_denied(49), decode_error(50), decrypt_error(51), export_restriction(60), protocol_version(70), insufficient_security(71), internal_error(80), user_canceled(90), no_renegotiation(100),

60© Ravi Sandhu

SSL ALERT MESSAGES

always fatal unexpected_message bad_record_mac decompression_failure handshake_failure illegal_parameter

61© Ravi Sandhu

SERVER-SIDE SSL (OR 1-WAY) HANDSHAKE WITH RSA

Client Server ClientHello --------> ServerHello Certificate <-------- ServerHelloDone ClientKeyExchange [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data

RecordProtocol

HandshakeProtocol

62© Ravi Sandhu

SERVER-SIDE MASQUARADING

BobWeb browser

www.host.comWeb serverServer-side SSL

UltratrustSecurityServices

www.host.com

63© Ravi Sandhu


BobWeb browser

www.host.comWeb server

Server-side SSL UltratrustSecurityServices

www.host.comMallory’sWeb server

BIMMCorporation

www.host.com

Server-side SSL

64© Ravi Sandhu


BobWeb browser


Server-side SSL UltratrustSecurityServices

www.host.comMallory’sWeb server

Server-side SSL

BIMMCorporation


www.host.com

65© Ravi Sandhu

CLIENT-SIDE SSL (OR 2-WAY) HANDSHAKE WITH RSA

Client Server ClientHello --------> ServerHello Certificate CertificateRequest <-------- ServerHelloDone Certificate ClientKeyExchange CertificateVerify [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data

RecordProtocol

HandshakeProtocol

66© Ravi Sandhu

MAN IN THE MIDDLEMASQUARADING PREVENTED

BobWeb browser


Client-side SSL


www.host.com

Mallory’sWeb server

BIMMCorporation

Client-side SSL


www.host.com

Client Side SSLend-to-endUltratrust

SecurityServices

Bob

BIMMCorporation


Bob

SSL

Documents

Transcript of SSL